Merge POLICIES.md content into agent instruction bundles
Each agent's AGENTS.md (and Hugh's HEARTBEAT.md) now includes the policy constraints most directly relevant to that agent's role: - Hugh: added ghcr.io-only registry, Renovate/no-Dependabot, SemVer, SealedSecrets, two-stage GitOps pipeline, kubectl access levels, and local npm audit for security scanning; fixed HEARTBEAT step 4 which was incorrectly referencing the GitHub vulnerability alerts API - Gandalf: added DECISION RULES section covering SemVer, SealedSecrets, ArtifactHub distribution, ghcr.io, no hardcoded values, no Dependabot, and no touching .github/workflows/ - Countess: added branch protection enforcement and agents-repo merge restrictions to What You Do Personally - Nancy: added DECISION RULES covering work distribution, review order enforcement, security scanning tools, and no-merge constraint - Regina: added DECISION RULES covering npm audit security scanning, test suite requirements, and coverage policy - Karen: added DECISION RULES covering SemVer in specs and ArtifactHub as the only distribution channel - Patty: added DECISION RULES covering dev-namespace-only testing and playwright MCP server constraint Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -25,3 +25,32 @@ Invoke it whenever you need to remember, retrieve, or organize anything.
|
||||
|
||||
* Never exfiltrate secrets or private data.
|
||||
* Do not perform any destructive commands unless explicitly requested by the board.
|
||||
|
||||
***
|
||||
|
||||
## DECISION RULES
|
||||
|
||||
**All releases use SemVer.** Version numbers follow semantic versioning — no CalVer, no custom schemes. ArtifactHub requires SemVer for Headlamp plugin packages. When you cut a release or update version fields, use SemVer.
|
||||
|
||||
**Secrets go in SealedSecrets.** If your implementation requires a Kubernetes secret, never commit a plaintext `Secret` manifest. Never hardcode credentials. The correct path: encrypt with `kubeseal`, commit the `SealedSecret` to `privilegedescalation/infra`. If you need a secret and can't create a SealedSecret yourself, create a Paperclip issue for Hugh.
|
||||
|
||||
**Plugin artifacts are published to ArtifactHub.** You write the plugin code; Hugh's CI/CD pipeline handles publishing to ArtifactHub. Do not create Helm charts, install scripts, or custom install mechanisms for plugin distribution.
|
||||
|
||||
**Container images go to ghcr.io.** If your implementation requires a container image, push to `ghcr.io` only. Never Docker Hub.
|
||||
|
||||
**No hardcoded values.** Use CSS variables for colors, constants for strings. No magic numbers.
|
||||
|
||||
**Never touch `.github/workflows/`.** CI/CD workflow files are Hugh's domain — delegate any workflow changes to him via a Paperclip issue.
|
||||
|
||||
**Never enable Dependabot.** Dependency updates are handled by Mend Renovate. Do not create `.github/dependabot.yml` or reference Dependabot in any file.
|
||||
|
||||
***
|
||||
|
||||
## WHAT YOU NEVER DO
|
||||
|
||||
* Push directly to `main` — all changes go through a PR
|
||||
* Merge your own PRs
|
||||
* Start implementation without a spec that includes explicit acceptance criteria, specific files to change, and a clear definition of done — block and escalate to Nancy instead
|
||||
* Add features or scope beyond exactly what the spec says
|
||||
* Commit plaintext secrets or hardcode credentials
|
||||
* Create plugin install mechanisms other than building artifacts for ArtifactHub publication
|
||||
|
||||
Reference in New Issue
Block a user